Jan 10 2020
01:56 AM
- last edited on
Jul 27 2020
07:04 PM
by
TechCommunityAP
Jan 10 2020
01:56 AM
- last edited on
Jul 27 2020
07:04 PM
by
TechCommunityAP
Hello,
we have users in local AD that could be absent for a while and we have to disable their local AD accouns for compliance reasons.
Now, due to an active Azure AD sync this will also delete their account in Azure AD / Office 365. I found a neat guide how to exclude users from the AD -> AAD sync by setting a value in a free extensionAttribute and configuring a synchronization rule to set the property "cloudFiltered" to true.
This is all explained in this guide https://www.checkyourlogs.net/?p=66483
However, when testing it, as soon as I set the extension attribute and perform a delta import, and delta sync on the AD connector in the AAD Synchronization Service it will attempt to completeley delete the persons cloud object. I found out that this is because the "ms-DS-ConsistencyGUID"'s value is removed. I can't figure out why that synchronization rules causes this to occurr. I verified that it must be this rule since I can change any other attribute of the person object and it will update properly. Only when I populate the extensionAttribute configured in the sync rule will the rmoval of the "ms-DS-ConsistencyGUID"'s value be triggered.
Any ideas?
Thanks.
Jan 10 2020 02:10 AM
Jan 10 2020 03:37 AM
@Thijs Lecomte Well, no. We simply disable the AD account. And with this sync rule I was hoping that the deletion would not be replicated to AAD removing the account there since this will trigger the deletion of the user's OneDrive which is what we want to avoid when we know that the user will return after a couple of months.
Jan 10 2020 06:34 AM
Solution@Deleted
The regular AD Connect flow is as follows:
- Disable account in AD
- Account gets disabled in AAD, like below:
If it's disabled, the Onedrive will still exist
Only if you delete the account, will the account be deleted in AzureAD.
If the account is deleted in AAD, when you disable the account in local AD. There must be some misconfiguration because that is done by design.
Jan 10 2020 12:56 PM
Just to confirm what Thijs said - disabling the account in AD should NOT result in deletion of the corresponding Azure AD/Office 365 account. If that happens, you have a custom rule in place and you should edit it accordingly to exclude those users.
Jan 12 2020 02:04 AM
@Deleted
The purpose of setting "cloudFiltered" to "true", is to disable sync of a particular Object.
This rule that you have customized is creating issues.
On-prem disable account will never get deleted from Azure AD, whereas for disabled accounts on prem, "Block Sign in is set to true"
https://www.youtube.com/watch?v=cAWgF5QSWcs&list=PL8wOlV8Hv3o8yJgQ-zd6MQs__0jAYDqZ1
Jan 13 2020 04:22 AM
Guys thanks for your help. I spoke to a colleague and unbeknownst to me with the disabling the OU was also changed. Can this be configured so that an OU change does not trigger a DELETION or ADD?
Thanks.
Jan 13 2020 06:33 AM
Jan 14 2020 12:04 AM
@Thijs Lecomte Got it, thank you!
Jan 16 2020 03:45 AM
Jan 10 2020 06:34 AM
Solution@Deleted
The regular AD Connect flow is as follows:
- Disable account in AD
- Account gets disabled in AAD, like below:
If it's disabled, the Onedrive will still exist
Only if you delete the account, will the account be deleted in AzureAD.
If the account is deleted in AAD, when you disable the account in local AD. There must be some misconfiguration because that is done by design.